Remove SAST_DEFAULT_ANALYZERS
This is a follow-up to Proposal: Migrate from SAST_DEFAULT_ANALYZERS to SAST_EXCLUDED_ANALYZERS
Implementation plan
- update documentation - !62415 (merged)
- SAST Config UI update to support SAST_EXCLUDED_ANALYZERS only and ignore SAST_DEFAULT_ANALYZERS - !63317 (merged)
- update Security Products projects to not rely on SAST_DEFAULT_ANALYZERS (CI configuration of the analyzer projects, shared CI config)
- update SAST vendored template to remove support for SAST_DEFAULT_ANALYZERS and break backward compatible !63538 (merged)
- remove remaining instances of SAST_DEFAULT_ANALYZERS from Security Products projects
Timing
SAST_DEFAULT_ANALYZERS
is eligible for removal in %14.0 at the earliest.
Security Products To Be Updated
-
https://gitlab.com/gitlab-org/security-products/analyzers/browserker/-/blob/main/.gitlab-ci.yml need to exclude stuff for main project, has some js
-
https://gitlab.com/gitlab-org/security-products/analyzers/semgrep/-/blob/main/.gitlab-ci.yml need to exclude stuff to just run semgrep on downstream
-
https://gitlab.com/gitlab-org/security-products/dast/-/blob/main/.gitlab-ci.yml has some js
-
https://gitlab.com/gitlab-org/security-products/analyzers/brakeman/-/blob/master/.gitlab-ci.yml has ruby, should be excluded - MR: gitlab-org/security-products/analyzers/brakeman!74 (merged)
-
https://gitlab.com/gitlab-org/security-products/tests/ruby-bundler-rails/-/blob/master/.gitlab-ci.yml has JS, should exclude eslint and semgrep
-
https://gitlab.com/gitlab-org/security-products/tests/ruby-generic/-/blob/master/.gitlab-ci.yml
-
https://gitlab.com/gitlab-org/security-products/analyzers/eslint/-/blob/master/.gitlab-ci.yml need to exclude semgrep from downstream tests - MR: gitlab-org/security-products/analyzers/eslint!84 (merged)
-
https://gitlab.com/gitlab-org/security-products/tests/js/-/blob/master/.gitlab-ci.yml needs to be updated, has hardcoded for eslint
-
https://gitlab.com/gitlab-org/security-products/tests/typescript-yarn/-/blob/master/.gitlab-ci.yml needs to be updated, has hardcoded for eslint
-
https://gitlab.com/gitlab-org/security-products/analyzers/nodejs-scan/-/blob/master/.gitlab-ci.yml exclude semgrep and eslint for QA - MR: gitlab-org/security-products/analyzers/nodejs-scan!102 (merged)
-
https://gitlab.com/gitlab-org/security-products/tests/nodejs/-/blob/master/.gitlab-ci.yml exclude semgrep and eslint
-
https://gitlab.com/gitlab-org/security-products/analyzers/bandit/-/blob/master/.gitlab-ci.yml update to exclude semgrep - MR: gitlab-org/security-products/analyzers/bandit!77 (merged)
-
https://gitlab.com/gitlab-org/security-products/tests/python-pip-flask/-/blob/master/.gitlab-ci.yml update to exclude bandit, 4 FREEZE branches
-
https://gitlab.com/gitlab-org/security-products/tests/python-pip/-/blob/master/.gitlab-ci.yml needs update, runs both bandit and semgrep, not sure what needs to be done for the two jobs, 2 FREEZE branches
-
https://gitlab.com/gitlab-org/security-products/tests/python-pipenv/-/blob/master/.gitlab-ci.yml needs update, runs both bandit and semgrep, not sure what needs to be done for the two jobs, 3 FREEZE branches
-
https://gitlab.com/gitlab-org/security-products/analyzers/spotbugs/-/blob/master/.gitlab-ci.yml needs to exclude spotbugs from main run, possibly needs to add excludes for QA - MR: gitlab-org/security-products/analyzers/spotbugs!104 (merged)
-
https://gitlab.com/gitlab-org/security-products/tests/monorepo-spotbugs/-/blob/master/.gitlab-ci.yml need to exclude eslint and semgrep, 1 FREEZE branch
-
https://gitlab.com/gitlab-org/security-products/tests/java-gradle-kotlin-dsl/-/blob/master/.gitlab-ci.yml needs update, one FREEZE branch
-
https://gitlab.com/gitlab-org/security-products/tests/java-gradle/-/blob/master/.gitlab-ci.yml needs update, three FREEZE branches
-
https://gitlab.com/gitlab-org/security-products/tests/java-groovy/-/blob/master/.gitlab-ci.yml needs update, two FREEZE branches
-
https://gitlab.com/gitlab-org/security-products/tests/java-maven-multimodules/-/blob/master/.gitlab-ci.yml needs update, two FREEZE branches
-
https://gitlab.com/gitlab-org/security-products/tests/java-maven/-/blob/master/.gitlab-ci.yml needs update, five FREEZE branches
-
https://gitlab.com/gitlab-org/security-products/tests/kotlin-gradle/-/blob/master/.gitlab-ci.yml needs update
-
https://gitlab.com/gitlab-org/security-products/analyzers/flawfinder/-/blob/master/.gitlab-ci.yml only needs final update - MR: gitlab-org/security-products/analyzers/flawfinder!60 (merged)
-
https://gitlab.com/gitlab-org/security-products/tests/c/-/blob/master/.gitlab-ci.yml needs update, two FREEZE branches
-
https://gitlab.com/gitlab-org/security-products/tests/cplusplus/-/blob/master/.gitlab-ci.yml needs update, one FREEZE branch
-
https://gitlab.com/gitlab-org/security-products/analyzers/security-code-scan/-/blob/master/.gitlab-ci.yml exclude eslint,semgrep for downstream - MR: gitlab-org/security-products/analyzers/security-code-scan!87 (merged)
-
https://gitlab.com/gitlab-org/security-products/tests/csharp-dotnetcore-multiproject/-/blob/master/.gitlab-ci.yml needs update, 3 FREEZE branches
-
https://gitlab.com/gitlab-org/security-products/tests/dotnet5/-/blob/master/.gitlab-ci.yml needs update, 1 FREEZE branch
-
https://gitlab.com/gitlab-org/security-products/analyzers/gosec/-/blob/master/.gitlab-ci.yml only needs final update
-
https://gitlab.com/gitlab-org/security-products/tests/go-modules/-/blob/master/.gitlab-ci.yml needs update, 2 FREEZE branches
-
https://gitlab.com/gitlab-org/security-products/tests/go/-/blob/master/.gitlab-ci.yml needs update, 4 FREEZE branches
-
https://gitlab.com/gitlab-org/security-products/analyzers/kubesec/-/blob/master/.gitlab-ci.yml only needs final update - MR: gitlab-org/security-products/analyzers/kubesec!51 (merged)
-
https://gitlab.com/gitlab-org/security-products/tests/kubernetes/-/blob/master/.gitlab-ci.yml needs update, qa-gosec-sast:
looks might be wrong
-
https://gitlab.com/gitlab-org/security-products/analyzers/phpcs-security-audit/-/blob/master/.gitlab-ci.yml just needs final update
-
https://gitlab.com/gitlab-org/security-products/tests/php-composer/-/blob/master/.gitlab-ci.yml needs update, 1 FREEZE branch
-
https://gitlab.com/gitlab-org/security-products/analyzers/pmd-apex/-/blob/master/.gitlab-ci.yml needs final update - MR: gitlab-org/security-products/analyzers/pmd-apex!64 (merged)
-
https://gitlab.com/gitlab-org/security-products/tests/apex-salesforce/-/blob/master/.gitlab-ci.yml needs update, 2 FREEZE branches
-
https://gitlab.com/gitlab-org/security-products/analyzers/sobelow/-/blob/master/.gitlab-ci.yml needs final update - MR: gitlab-org/security-products/analyzers/sobelow!59 (merged)
-
https://gitlab.com/gitlab-org/security-products/tests/elixir-phoenix/-/blob/master/.gitlab-ci.yml needs to exclude eslint,sobelow, 3 FREEZE branches
-
https://gitlab.com/gitlab-org/security-products/analyzers/mobsf/-/blob/master/.gitlab-ci.yml needs update to use excludes I think - MR: gitlab-org/security-products/analyzers/mobsf!31 (merged)
-
https://gitlab.com/gitlab-org/security-products/tests/java-android/-/blob/master/.gitlab-ci.yml mobsf project, needs to exclude spotbugs
-
https://gitlab.com/gitlab-org/security-products/tests/injuredandroidapk/-/blob/master/.gitlab-ci.yml needs update
-
https://gitlab.com/gitlab-org/security-products/analyzers/common/-/blob/master/.gitlab-ci.yml needs final update - MR: gitlab-org/security-products/analyzers/common!151 (merged)
-
https://gitlab.com/gitlab-org/security-products/analyzers/secrets/-/blob/master/.gitlab-ci.yml needs final update - MR: gitlab-org/security-products/analyzers/secrets!115 (merged)
-
https://gitlab.com/gitlab-org/security-products/analyzers/template/-/blob/master/README.md I don't understand what is going on here
-
https://gitlab.com/gitlab-org/security-products/ci-templates/-/blob/master/includes-dev/analyzer.yml needs final update gitlab-org/security-products/ci-templates!221 (merged)
While Move Secure test projects to Secure analyzer projects should remove our reliance on SAST_DEFAULT_ANALYZERS
, we will go ahead with updating these templates so that we can remove SAST_DEFAULT_ANALYZERS
in %14.0 (as opposed to waiting until that issue is resolved).
Edited by rossfuhrman